Xton Access Manager (XTAM) Frequently Asked Questions
For Windows installations:
Windows Server 2008 R2+ or Windows 7+
For Unix or Linux Installations:
Red Hat, Ubuntu Server or Desktop, Debian and CentOS
Please click here for full system requirements and additional details.
What are nodes? Can you recommend a proper server configuration for my needs?
Xton Access Manager server is installed on a single or multiple physical or virtual computers and we call each of these computers a “node”. Single node setup is very easy and quick to configure; however, administrators might decide to utilize a multi-node deployment to increase performance, improve availability (in case when one of the nodes malfunctions) or improve security (to separate master password and encrypted data).
To read additional details about XTAM’s architecture, configuration and recommendations, please click here.
Why is it so important to save my master password during installation? What would I need this for in the future?
Xton Access Manager (XTAM) encrypts sensitive data stored in the backend database using an AES-256 algorithm. This algorithm is based on the master key that XTAM uses to lock and unlock encrypted data. Without the master key nothing can decrypt sensitive data in your XTAM database.
Master Passwords generated and displayed during installation. Windows installation on the left and Unix on the right.
Continue reading here for additional information about the master passwords and its use.
I installed your trial and my web browser is saying my connection is not secure. What does this mean?
XTAM generates its own self-signed SSL certificate during installation in order to provide a level of encryption “out of the box” over a secured port. Because this certificate is unknown to your browser and is not from a “well-known” Certificate Authority, your browser is simply alerting you to this situation.
To learn more about how you can address this behavior, please read our SSL Certificate Browser Warning article.
I am concerned about storing my XTAM decryption key on the same host where XTAM is installed. Can these be separated?
If you have these concerns or simply want additional security, then the XTAM Master Password can be safely stored on a separate host.
This guide explains the simple process required for this configuration.
I don't have internet access on the server where I want to install XTAM. How can I install it here?
XTAM comes with both a traditional online installer and an offline installation package. If an internet connection cannot be established to our server hosting the download, then the offline package can be downloaded from another computer and copied over to your desired XTAM host.
To learn more about offline installation, please read this XTAM Offline Installation page.
Does XTAM provide an enterprise sign-in experience?
Yes, XTAM provides a more enterprise, secure login experience that provides the ability to further integrate with many common multi-factor and two-factor authentication providers.
To learn more about the benefits and configuration options, please read this XTAM Federated Sign-In page.
How do I connect to my own external database?
Xton Access Manager supports a wide range of the most popularly used databases system in the market. When configuring XTAM to use your own database, you will need to supply the database connection string. In general, the connection string will comply with the following example:
db-host or db-host:port
To view specific examples for each supported database, please review this page.
How can I integrate XTAM with my Active Directory?
XTAM integrates seamlessly with your Active Directory so that AD users and groups can be given access to the system or have records and folders shared with them.
This Active Directory page provides the steps required for AD integration that can be completed either during or after XTAM has been installed.
Can I integrate XTAM with multiple domains to provide user logins to the application?
Yes, XTAM can be configured to support login and authentication services from multiple AD or LDAP providers.
The following article describes how to configure and disable these additional domain connections.
Can I integrate XTAM with a multi-domain forest where AD Trusts are established?
Yes, XTAM can be quickly integrated with multi-domain forests with AD trusts post installation.
The following article describes how to configure this multi-domain forest with AD trust deployment.
Can I integrate XTAM with our NetIQ eDirectory service to provide user logins to the application?
Yes, XTAM can be configured to support eDirectory login and authentication services.
The following article describes how to integrate your existing XTAM deployment with NetIQ eDirectory.
How can I replace the default XTAM SSL certificate with my own trusted SSL certificate?
To provide a means of encryption “out of the box”, XTAM generates its own certificate during installation. Because of this procedure, it is not trusted by your browser and therefore a security warning is displayed.
If you already have your own trusted SSL certificate that you would rather use, please follow the procedure detailed in our How to Replace the XTAM SSL Certificate article.
How can I generate a certificate request for my XTAM server?
Please read our How to Generate a Certificate Request article for detailed steps.
I am getting certificate errors when trying to use the Federated Sign-In module, why?
In order for the Federated Sign-In module to operate properly it needs to be secured with a certificate that is trusted by the XTAM web application. When using a self-signed certificate, this communication is usually not trusted which is why a well known certificate from a trusted CA is recommended.
To learn more about potential Federated Sign-In certificate errors and resolutions, please read this article.
Can XTAM integrate with my ADFS?
Yes, XTAM provides native SAML support so that it can integrate with common SSO providers like ADFS.
To learn how to configure XTAM and ADFS integration, please review the following article.
Can XTAM integrate with my Azure Active Directory using SSO?
Yes, XTAM provides SAML support with the use of its Federated Sign-on Module, to provide SSO integration with Azure Active Directory.
To learn how to configure XTAM and Azure AD SSO integration, please review the following article.
Can XTAM integrate with my Okta SSO credentials?
Yes, XTAM provides native SAML support so that it can integrate with common SSO providers like Okta.
To learn how to configure XTAM and Okta integration, please review the following article.
How can I export my XTAM database?
For security, import and “break glass” scenarios, it is always a good idea to keep one or several exports of your XTAM database in a secure location.
The following article describes how System Administrators can export the XTAM database automatically on a schedule or on-demand.
How can I import my exported XTAM database?
Now that you have exported your XTAM database, you need a method to import it into XTAM.
Before covering the specific import steps, you must first understand what you exported (encrypted or decrypted) and where you want to import (to the same or new XTAM deployment).
The following article describes the possible Import scenarios available and how System Administrators can perform an Import using an previously exported XTAM database.
How can I configure XTAM to output to my Syslog server or appliance?
Many companies choose to centralize security and network logging to a single Syslog server or appliance to reduce the burden of log collection, investigation and reporting across many devices. While XTAM does include its own logging engine that captures and stores events, it can also be configured to output this information to your centralized syslog server.
To read how to configure this output, please review our How to Configure Syslog Output article.
Where can I activate or register the software?
After the software has been successfully installed and the database has been initialized, it is a good next step to activate or register it. To register Xton Access Manager, please navigate to the following location:
Administration > Settings > Registration.
Enter your key in the Activation Code field, click Automatic Registration and once the key has been successfully verified click Save to complete the registration.
For a detailed walk-through of this process, including offline or manual registration, please click here.
How can I secure my client traffic to XTAM with a SSL certificate?
Xton Access Manager (XTAM) is a WEB application deployed into a WEB container that listens as a WEB Front End (WFE) for the incoming connections on the default port 8080. While this default setup is adequate for trial and moderate use of the application, the recommended configuration that opens this WEB container to the outside world involves a load balancer (reverse proxy) deployed in the front of the WFE or multiple WFEs. The reverse proxy is used to control incoming traffic, to load balance multiple XTAM WEB containers for high availability and scale ability options and also to secure the incoming traffic with a SSL certificate.
Please click here to read about how secure traffic works in XTAM and how to configure SSL during or post installation.
How can I secure my traffic between a load balancer and my XTAM nodes?
Although some may disagree about whether this step is required, XTAM does support the ability to secure the traffic using a SSL certificate between a load balancer and your XTAM web container(s).
If you are interested in this approach, please click here to learn more.
How do I configure an HTTPS Load Balancer in a Linux deployment of XTAM?
Configuring an HTTPS secured load balancer can be achieved by performing the steps outlined in the following guides. Please note that our guides will assume a single node XTAM deployment with Apache HTTP.
For Red Hat or CentOS, please review this guide.
For Debian or Ubuntu, please review this guide.
I am deploying a remote Session Manager component, where and how can I secure its connection with a certificate?
Xton Access Manager’s architecture allows scaling to offload components to other servers for performance, geographical or network reasons. One of these components is the Session Manager module. By deploying this component on a different server it can allow sessions to be established to computers or systems that may not otherwise be accessible.
While this allows for greater flexibility, it is important that the communication between the XTAM web and these remote Session Manager components be secured to limit their exposure. This security comes in the form of a certificate that ensures the communication cannot be intercepted.
Please click here to read about how to secure your Remote Session Manager.
How do I configure which session manager to use when specific remote sessions are connected?
XTAM provides the ability to use multiple session manager for scaling, performance or load balancing scenarios. To send session traffic to a particular session manager, we create Proximity Groups that includes a configuration based on IP-Range or Host Mask and the corresponding Session manager server that will be used for the remote session.
Please click here to read more about Proximity Groups and how to create them.
What is the Record List?
XTAM’s Record List can be though of as it homepage; the place where all users are redirected upon their login. This page includes a number of navigation, search, management and object options that will allow the user to work inside XTAM.
For a detailed list of options present on the Record List page, please read our What is the Record List? article.
How do I share a record or folder with someone?
When two or more users need access to a record or folder in Xton Access Manager, then the Owner of this object needs to share access to it which means to create or modify the Permissions associated to the object. When the permissions are modified and shared with a user (or group), then the Owner also needs to specify which level of control this user (or group) should have on the object.
Sharing and Permissions consists of a few key concepts; Users or Groups, Roles, Session Control and Inheritance.
The following page walks through these concepts as well as the steps needed to share or modify permissions on a Record or Folder.
Can I setup an approval workflow for extra security like Dual Control or Four Eyes?
Yes, XTAM provides the ability to secure user actions behind an approval workflow. Actions like unlocking a password or connecting to a remote session can be configured so that rather than a user simply accessing this functionality they would first need to be granted approval from a user(s). This provides that extra (dual) control or that extra pair of eyes (four eyes) to your privileged access management in XTAM.
To learn more about XTAM approval workflows, please start with the XTAM Request and Approval Workflows page and use the links at its bottom to read more.
If you want to jump right in, take a look at our XTAM Approval Workflow Getting Started Walk-through page.
What are Record Types?
Xton Access Manager provides a variety of out of the box Record Types to assist in creating, organizing, connecting and establishing inheritance (parent/child relationship) of strategies within your records and secrets. The following FAQ article will list and define each of the available Records Types in XTAM.
Custom record types can also be created by System Administrators.
Please click here to read the full list of currently available out of the box Record Types in XTAM, a description of each and which fields are available.
What is the difference between Folders and Vaults?
XTAM provides the option for Folders or Vaults when creating containers. While both are useful for organizing, sharing and managing man records more easily, they do offer several distinct differences.
To learn more about these container differences, please read our Folders vs Vaults article here.
What is a Reference Record?
A reference record is a record that is used in multiple other records so that parameters (User, Password, Certificate or Passphrase) can be shared. For example, you could create an Active Directory account record and rather than re-entering the same user, password, certificate or passphrase into multiple other records, you could simply point to this AD account as a reference and the system will auto-populate and maintain these parameters. The system will then “reference”, instead of storing a copy, this original record when needing to access the shared credentials.
To learn more and to see a quick example, please read our Reference Record page.
What is a Shadow Account?
A Shadow Account is a secondary account used to connect to the remote computer on behalf of the primary record account to perform the designated tasks.
Normally the record account is used to connect to the remote computer to execute scripts. When a shadow account is specified for the task the script is executed under the shadow account privileges although it still has access to the main record account.
To learn more about Shadow Accounts, please read our Shadow Account page.
Can I check out records so that only a single user can work with it at a time?
Yes, when configuring your workflow binding simply enable the option for Checkout to either Optional (allows the user to decide) or Required (the record will always be checked out when approved).
To learn more about this Check Out feature, including its use of One Time Passwords, please read How to Configure Record Check Out.
Are records verified on a regular basis to ensure parameters are accurate? Heartbeat check?
Yes, XTAM comes pre-configured with a Heartbeat or Check Status task that is executed after a new record is created or an existing record is updated (manually or automatically).
Continue reading our Heartbeat page for more information.
Can XTAM generate a strong password for my record?
Yes, any record type that contains the default Password field will have an option to automatically generate you a strong, unique password based on your defined password complexity formula.
Learn more about this Generate Password option in the following FAQ article.
I want to execute a task(s) against many managed hosts. Is there an easy way to do this rather then creating hundreds of individual records?
Yes, if you can query your hosts (for example, an AD query) and have an account that can authenticate against each, then you can make use of our Host Query record.
Learn more about our Host Query records and how to use them in this FAQ article.
I use another system to manage access, can I import their records?
To get you started using XTAM more quickly, the following import options are available to bulk create records and folders from third party systems.
Import from a CSV File
Import from a Remote Desktop Connection Manager save file (.rdg)
Import from an exported PuTTY file (.reg)
To import, simply navigate to the folder where you wish to have the import created, click the Import button and then select your file. Once the file is processed, your records and folders will be created and immediately available for you in the Records view.
For additional information about Importing, please review the Importing Records page.
Does XTAM provide SSH Key Management including key rotation?
Yes, XTAM can be used to manage any number of SSH keys and the endpoint that is secured with them. Management includes secured sharing, automated ssh key rotation, auditing and creating remote sessions all without giving users access to the actual key file.
To learn more, please read our SSH Key Management article.
Can XTAM manage access and passwords for my Apple (Mac) systems?
Yes, XTAM provides support for Apple hosts, including password-less secure connections with recording, workflows and password reset or rotations.
To learn how to create these records, please read our PAM for Apple (Mac) Hosts article.
Can XTAM manage access and passwords for my Cisco devices?
Yes, XTAM provides support for Cisco devices, including password-less secure connections with recording, automatic Enable mode and password reset or rotations.
To learn how to create these records, please read our PAM for Cisco devices article.
Can XTAM manage access and passwords for my Juniper devices?
Yes, XTAM provides support for Juniper devices, including password-less secure connections with recording and password reset or rotations.
To learn how to create these records, please read our PAM for Juniper devices article.
Can XTAM manage access and passwords for my Palo Alto Network devices?
Yes, XTAM provides support for Palo Alto Network devices, including password-less secure connections with recording and password reset or rotations.
To learn how to create these records, please read our PAM for Palo Alto Network devices article.
How can I configure a record so that the user must define the Host or User credentials during each connection?
This is quite easy, simply leave this parameters empty when creating the record. You can leave the Host, Port, User and Password fields empty and when the user clicks the Connect (or Connect and Record) button they will be required to define the required values. In this situation, XTAM will attempt the connection using the supplied values and will rely on the host system to authenticate them.
This is quite useful when you want to provide a bit of flexibility to your XTAM users but not sacrifice the ability to audit, record and monitor their activities and sessions. For configuration screenshots and additional information, please read this configuration article.
How can I configure records so that the password is split between multiple users? Two-person rule?
If business requirements or regulatory compliance requires that no single user can view a password in its entirety, then enabling XTAM’s Split View option is what you need. When Split View is enabled, a record’s Password is equally split into two parts with each part only visible to users in opposing permission roles.
To learn more about Split View and how to enable it in XTAM, continue reading this Split View FAQ article.
How can I save a file to a record?
Xton Access Manager’s Records can be used to securely store (encrypted) and share any file types including certificates, keys, archives and documents in its AES-256 bit protected database. This is extremely useful when needing to share file objects between trusted users while maintaining security and capturing audit events like who downloaded the file and when.
Please click here to view the steps required to create and store files within a secured Record.
Can XTAM use my native client side applications to connect to privileged systems? PuTTY or SecureCRT?
Yes, XTAM supports native client side SSH applications to securely connect to various Unix, Linux, network and security devices or most anything else that communicates using the SSH protocol. If you don’t have or use a native SSH client like PuTTY, SecureCRT or WinSCP, then don’t worry, you can also connect with just your web browser. No agents or specialized clients are required.
For more information, please read our article about Privileged SSH Sessions.
Can XTAM launch remote applications and automatically populate values including user and password?
Yes, XTAM includes RemoteApp functionality that utilizes Windows Remote Desktop Services or TSplus Remote Application protocol to securely launch and automatically enter credentials. This provides a secure, password-less connection for user to popular software like MS SQL Server Management Studio with the added benefit of video and keystroke recording.
To learn more about XTAM remote app launchers, please start with the XTAM Windows Remote App Launcher page and use the links at its bottom to read more.
If you want to jump right in, take a look at our XTAM Remote Apps Launcher Getting Started Guide for Windows RDS or XTAM Remote Apps Launcher Getting Started Guide for TSplus.
Can I create secure sessions to websites or custom web applications?
Yes, XTAM supports the creation of secure, remote sessions to website, web portals and custom web-based applications using its HTTP Proxy feature.
To learn more about XTAM’s HTTP Proxy module, please start with this overview page to understand how it works.
If you want to start using it, then please review our How-To Guide covering the setup, configuration and use of XTAM’s HTTP Proxy to create remote web sessions.
Can XTAM execute a specific command when a remote session is connected?
Yes, when a record is created using the Unix Host Command record type, it provides the option to automatically exeucte a command when the session is connected. This adds the ability to allow a user to connect to the managed endpoint but sandboxes them to a specific application. For example, an Admin can connect to the production database server, however it will automatically connect to the MySQL instance (without disclosing the password) so this Admin cannot perform any other duties outside of this MySQL prompt.
To learn more about the XTAM Unix Host Command, please read our FAQ Automatic Command Execution During SSH Login.
Can I whitelist or blacklist commands that users can execute during remote sessions?
Yes, Command Control in XTAM offers Administrators the ability to restrict commands that can executed via a whitelist or blacklist in both Windows and Unix remote sessions. In addition to the command restrictions themselves, Command Control can also place restrictions on command Arguments and what can, cannot or is required to be “piped” to commands.
To learn more about XTAM Command Control, please start with the XTAM Command Control page and use the links at its bottom to read more.
If you want to jump right in, take a look at our XTAM Command Control Getting Started Walk-through page.
Can XTAM be used to help secure SSH Tunnel access?
Yes, through the use of our SSH Proxy feature, you can also provide SSH Tunnel access.
Read our SSH Tunnel for Privileged Access article for more information.
Can XTAM automatically use my logged credentials to authenticate my remote session?
Yes, XTAM can be configured to take the credentials (user and password) that was used to login to it and automatically use them to connect to you a remote endpoint.
Read the following article to learn more about how XTAM can Pass-Through Credentials.
Can XTAM dynamically load credentials from another record to authenticate my remote session?
Yes, XTAM can be configured to locate credentials from another record and then dynamically use them for connection based on a user’s login or other search criteria.
Please read XTAM’s Dynamic Credential Login article for more information.
Can I copy a file or clipboard text to or from Remote Sessions?
Yes, XTAM provides the ability to copy files and/or clipboard text between your local host computer and the remote host in your secured session. This transfer supports both Windows and Unix/Linux (including ASCII mode for files) transfers as well. If required, in-browser file transfer can be disabled.
To learn how to transfer between your local computer and your secured remote host session, please take a look at this page.
Are sessions video recorded? How can I find them and how are they configured?
XTAM provides the option to video record all actions that are performed during a secure remote session. This option can be configured to always record and optionally record and has both instant playback options and convert and export options.
The learn more about XTAM Session Video Recordings, please see this article.
Can I join another user's Active session?
Yes, assuming you have the appropriate permissions you may join an Active remote session of another user in order to monitor their activities or to interactively participate.
To learn more about how this works, please read our How to Join an Active Session article.
Can I open my Sessions in a full browser screen instead of a smaller window? Or a new browser tab?
Yes, XTAM secure remote sessions can be set to either open in a full screen browser view, a smaller, windowed view or as a new browser tab. If you are a XTAM Administrator, this can be set on a Global level or if you are an XTAM non-Administrator, then you can set your personal preference for your own sessions.
The following page describes how to configure both options.
I can't connect to a session and the process is stuck on Connecting to Session Manager. What should I do?
If a user attempts to establish a session and the browser displays the message “Connecting to Session Manager”, but it does not connect to the host, then please try the following suggestions.
Are keystrokes or clipboard text recorded in XTAM remote sessions?
Yes, both keystroke and clipboard text are recorded in all Xton Access Manager remote sessions (video can optionally be recorded too!).
Please read our Remote Session Keystroke and Clipboard Recording page for more information.
I am receiving error code 519 when attempting to connect a session. What does this mean?
Session Error Code 519 means that XTAM was unable to connect to the remote host using the parameters specified in the record.
Please review our Error Code 519 page for troubleshooting steps.
How can I run a script like password reset (or a custom script) on one of my records?
Xton Access Manager provides the ability to associate and execute one or more Tasks on records. This can allow for elevated job execution by securely sharing this record (but not the password) with a user that would typically not be permitted to run such a command.
A Task is a combination of a Script (what is executed against the record) and a Policy (when it is executed against the record).
The following page walks through the steps to configure a task for your record.
Can I use variables or placeholders in my scripts?
Yes, scripts can be constructed so that upon execution the user will need to enter specific values to determine exactly what command will be executed.
The following page describes how to use variables or placeholders in your XTAM scripts.
Can XTAM scan my network and help me locate privileged systems?
Yes, as part of the XTAM Job Engine, several types of Discovery Queries can be executed to help administrators locate and more easily bring “under management” privileged systems.
For the following Privileged Discovery Queries article describes the concept and steps needed to setup and run your own discoveries.
Can XTAM be configured to automatically rerun failed jobs?
Yes, XTAM can be configured by System Administrators to automatically reprocess all failed periodic jobs or tasks for a defined interval during a specific window of time.
In the following Automated Job Rerun article, we will describe the configuration options available for the reprocessing of these failed periodic jobs or tasks.
How do I automatically change my OpenLDAP passwords?
Yes, XTAM provides the option to manually or automatically reset or rotate the password of both Administrator or User accounts from OpenLDAP compliant servers.
In the following OpenLDAP Password Reset FAQ article, we will describe the process of using Xton Access Manager to automatically rotate or reset passwords associated to OpenLDAP accounts. The first section will detail the configuration required for rotating the passwords for Admin accounts and the second will detail the process for non-Admin accounts.
How do I automatically reset my Azure or Office 365 passwords?
If Azure or Office 365 Admin accounts are shared or if they must remain secured, then it is imperative that they be stored in a secure location which provides the ability to rotate or reset the password as needed or automatically. This limits the ability of highly privileged Administrator accounts escaping the confines of your IT perimeter and being fished or social engineered by bad actors.
In the following FAQ article, we will describe the process of using Xton Access Manager to automatically rotate or reset passwords associated to Azure or Office 365 accounts. The first section will detail the configuration required for rotating the passwords for Admin accounts and the second will detail the process for non-Admin accounts.
Can XTAM verify an endpoint's hostname before tasks are executed against it?
Yes, to prevent potential abuse, XTAM can be configured to first verify the Windows hostname before it executes tasks against this endpoint.
For more information about this feature, please read our Record Hostname DNS Verification article.
Can XTAM cleanup the membership of a local Windows group like Administrators?
Yes, XTAM provides a task that can be executed against any Windows Host that will locate a group and remove all users that are not specified. This is helpful when thinking about your business’s least privileged model and desiring to remove unnecessary admin rights from users, particularly those located in the Administrators group. This task can be executed On Demand or configured to occur automatically to maintain compliance.
Please review the following page for details about how to configure and customize this task in your environment.
I have a Windows account that is being used in as the Log On account in a Service. How can I rotate this password without causing a service logon failure?
This is a common scenario where the password associated to service accounts needs to be updated without causing services to break or fail to logon. This could be down manually, but if the password rotation happens frequently, it can be time consuming and error prone.
The following article describes the process to execute or automate this Windows password reset that has service dependencies.
I have a Domain account that is being used in as the Log On account in a Service on several Windows endpoints throughout my domain. How can I rotate this password without causing a service logon failure on each host?
This is a common scenario where the password associated to domain based service accounts needs to be updated without causing services to break or fail to logon. This could be down manually, but if the password rotation happens frequently, it can be time consuming and error prone.
The following article describes the process to execute or automate this Domain Service Account password reset that has service dependencies across several endpoints.
I don't know my Windows account's current password. Can I still rotate it?
Yes! We get this question quite often because sometimes people forget or perhaps never knew the password for non-user Windows accounts like Service Log Ons or Application Pool. As long as you have access to an account that is in this host’s local Administrators group, then it is quite easy.
Review the following page to understand how to configure an XTAM record for password reset without specifying its current password.
I want to enable Password Reset tasks for my Azure or Office 365 accounts. What needs to be configured in Azure?
In order to rotate or reset Azure or Office 365 account passwords, you will first need to create and register an Azure Active Directory App in your Azure Portal.
Please follow the steps provided on this page to setup and configure this App in Azure and XTAM. Note that Administrator accounts are required for this procedure.
I executed a Task and it failed with an Error response message or code. Where can I find more information to help troubleshoot this error?
Occassionally, a Task or Script will fail to execute for a number of reasons. The following Job Detail Error Response page will attempt to detail a variety of potential issues related to Job Errors and provide a few troubleshooting steps.
If your error message or code is not listed or the recommended steps did not resolve your error, please contact Support for additional assistance.
What are XTAM reports?
XTAM captures events and activities across all operations of the solution. This information is stored internally and made available to users to better understand how the XTAM system is being used and to provide reporting in the case of a discovery, audit or forensic investigation.
XTAM also provides integration with SIEM and Syslog products so log data can also be gathered and reported outside of this solution.
Who can access the XTAM reports?
XTAM reports are only available to users or group of users that have been granted the Global Role of System Administrator or Auditor.
How do I work with these reports?
The report are available to any System Administrator or Auditor that logs into XTAM. All reports are accessible from the Reports section of the left navigation section and provide the following functionality.
- Filters that allow for report events to be specified based on parameters like time and category.
- Search box to query and locate specific events based on parameters like name, events and ID.
- Export commands to make the reports available to users outside of the XTAM system. CSV and PDF formats are available for export.
Please note that not all reports provide the same level of functionality. To learn about the specific information and functionality contained in each report, please click on the Report Name in the Show Available Reports section of this FAQ.
The Access report provides a list of all users (unwound from groups) that have access to the selected object, their level of access and how they have been granted access (Group Membership, Individual ACL, Global Role or Global Permission).
Read about the Access report here.
The Audit Log provides a report of audit events captured throughout the XTAM solution by all users and activities. Use this report to investigate Audit Events in XTAM.
Read about the Audit Log report here.
The Custom Reports menu allows for System Administrators to generate their own custom reports using the HQL querying language.
Read about the Custom Reports here.
The Inventory report provides a list of all objects (records and folders) along with their metadata and permissions. Use this report to find objects based on metadata, activity or permissions.
Read about the Inventory report here.
The Job History report provides a list of all Jobs or Tasks that have already been executed, along with its details. Use this report to find details about scheduled or previously executed tasks.
Read about the Job History report here.
The Job Summary report provides a list of all Jobs or Tasks that have already been executed, aggregated to illustrate a summary of their results including a number of executions per task per day. The summary can be displayed in a data-table or presented in a line chart.
Read about the Job Summary report here.
The Requests report provides a list of all Workflow Instances, including those that are active, approved and rejected. Use this report to find any information about Workflow instances and states.
Read about the Requests report here.
The Session report provides a list of all Active and Completed remote sessions in XTAM. Use this report to investigate session activity and to access video and keystroke recordings.
Read about the Sessions report here.
The Session Events report provides a list of all keystrokes, clipboard text and command sequences users entered during any remote session. Use this report to investigate session activity and search for keystroke or command entries throughout all sessions.
Read about the Session Events report here.
The Statistics report provide a graphical understanding of various categories of objects throughout the XTAM system. Use these reports to understand system usage and various trends over time.
Read about the Statistics report here.
The Task report provides a list of all records that have at least one task associated to them, along with each task’s details.
Read about the Tasks report here.
The Users report provides a list of all users and groups that have accessed XTAM. Use this report to understand user behavior, activity, permissions and IP based locations.
Read about the Users report here.
The Workflows report provides a list of all workflows along with their templates, bindings and configuration.
Read about the Workflows report here.
What is your Break Glass procedure?
A break glass procedure refers to a quick method for a user to gain access when needed (usually during an emergency) to a managed system who would ordinarily not have access. The term “break glass” is a reference to someone breaking the glass door or stopper to pull a fire alarm in the event of an emergency.
The following article describes the Break Glass scenarios and procedures in XTAM.
Does XTAM have REST APIs that can be called by external scripts, applications or third party products?
Yes! XTAM has a full library of REST APIs that can be called by external scripts, applications and third party products.
For a list of API examples called via PowerShell scripts, see here.
For a list of API examples called via Shell scripts, see here.
For learn about using Authentication Tokens to call the XTAM APIs, see here.
If you have a specific question or don’t see an API listed, please contact our Support Team for further assistance.
What levels of Permissions are available in XTAM?
Xton Access Manager provides a robust set of permissions that can be granted to users or groups (Principals) in order to control the level of access they have to objects and areas of the software.
Note that permissions in XTAM are additive, meaning that a higher level of permission includes all the roles of a lesser, and permissions can be inherited via folders.
What is the Auditor role and what does it permit?
XTAM now includes an additional Global Role named “Auditor”. This Auditor role allows for a Compliance Officer or Auditor to review and monitor the XTAM system and its records without having direct permissions to each object or exposing secrets and compromising security.
A user that has been granted this “Auditor” role:
- Can View all records and folders. This includes Name, Description as well as any other record fields (except secured fields).
- Can review Record Properties including Type, Created By and Last Modified By parameters.
- Can access the Audit Log associated to records as well as the XTAM system.
- Can access the Session History associated to records as well as the XTAM system.
- Can access the Job History associated to records as well as the XTAM system.
- Can access the Workflows associated to records as well as the XTAM system.
- Can access the XTAM system Reports.
A user that has been granted this “Auditor” role:
- Cannot “Unlock” or download secrets, passwords, certificates or any other object associated to a secured field.
- Cannot Connect, Join or Terminate active sessions.
- Cannot review a record’s Change History.
- Cannot execute jobs, scripts or password reset tasks.
- Cannot Create, Edit or Delete a folder or record.
- Cannot Create, Edit or Delete a workflow, template, binding or grant approval.
- Cannot modify Formulas, Tasks or Permissions of a record or folder.
- Cannot reorganize folders or records using the Cut, Copy or Paste commands.
Please note that if a user or group is assigned the Auditor role plus additional permissions to a folder or record, the privileges associated to the folder or record will take precedence over that of the global Auditor role.
My Active Directory user logins are quite slow. What causes this and can they be improved?
In order to support as many Active Directory integrations as possible, XTAM has to account for various configurations that may or may not be optimal for your particular environment. If you are experiencing occassional slow logins with your Active Directory accounts, please read our Active Directory User Authentication is slow. What causes this? article to learn more about our integration and several methods that can improve this experience.
Can I update XTAM's JRE framework to the latest version or to OpenJDK 11?
Yes, you can update XTAM’s framework following the procedure outlined in the below link. We highly recommend setting up a test deployment of XTAM to practice the upgrade process before attempting it on your production instance.
For more information, please read our JRE Migration article.
How do I change the password length or complexity for my auto generated passwords?
You can create inherited or unique password Formulas in XTAM to auto generate or enforce password requirements that conform to your standards.
For more information, please read our Password Formula article.
Can I change the password length or complexity requirements for XTAM Local User accounts?
Yes. The default password requirements of 8 characters including 1 upper case, 1 lower case and 1 numeric value may not meet your network policies and therefore can be modified rather easily.
To update the Local Users password formula, please follow the steps detailed here.
What event levels are used for XTAM logging?
XTAM uses the industry standard Log4j logging mechanism for the processing and filtering of its own log messages, which includes the levels Trace, Debug, Info, Warn and Fatal levels. While not all levels are used or enabled by default, they are filtered with these standards in mind.
To learn about which levels are used and how events are categorized by XTAM, please read our Log Event Level article.
Can I change the default location where XTAM saves its content to a network path?
Yes, XTAM provides options to define new paths for its Content, Export and Temporary file locations. Changing these parameters is particularly useful for High Availability deployments or for deployments where additional security or storage devices are required.
To learn how to change these storage locations, please read the steps here.
How can I check and update the software to the latest version?
The development of Xton Access Manager follows an Agile development process which means a fast paced and frequent software release cycle. Due to this, the software provides an easy method to check for and ultimately deploy the latest version.
To update XTAM, please review the procedure detailed here.
I want to receive (or stop receiving) alerts and notifications. Where is the option?
Alerts and Notifications within Xton Access Manager (XTAM) can be configured on either Records (Owners only), Folders (Owners only) or System Events (System Administrators only). These notifications will alert the user to activity that has taken place against that object within a short period of time. This is useful if a record contains a sensitive file or can establish a session to a privileged computer and you need to be aware of its activities.
Please click here to learn how to subscribe, unsubscribe and view alerts in Xton Access Manager.
Does XTAM support any languages other than English?
Yes, XTAM’s GUI (graphical user interface) can be switched between a few languages.
The following page describes how the language can be changed Globally (so that it applies to all users) or Personally (so that it only applies to your session).
How do I login and logout properly?
Users who have been granted permission or access to at least object will be able to login to Xton Access Manager using their appropriate account and password.
To login to Xton Access Manager:
Open your browser to the Xton Access Manager’s login page. The default is https://localhost:6443/xtam
When prompted, enter your account name and its password. For AD accounts, simply use the logon name, the domain is not required. Click the Login button to continue.
Upon successful login, you will be directed to the XTAM home page. If unsuccessful, please try again.
To logout of Xton Access Manager:
Locate and click the Logout button in the application’s top right bar.
For security reasons, please close your web browser after you completed the logout operation.
Can I customize the templates that are used for email notifications?
Absolutely and it is quite simple to do if you know a little about working with HTML files. Here’s how:
Login to the XTAM host computer and copy the “templates” directory from here $XTAM_HOME/web/webapps/xtam/ to here $XTAM_HOME/content/.
Modify the html files as needed. We recommend you test your updates using the “email_test.html” template as this is only sent when using the Test Email option in the Mail Server configuration. Save and close each when you are done.
That’s it! Trigger an action that causes an email notification (i.e. Test Email in the Mail Server configuration) in your system to test your new templates.
I need help. How do I contact support?
If you reviewed all the documentation and FAQs and are still having issues, or if you just want to speak with our support team, please contact us and we will be happy to assist.
When contacting us for support, please be prepared to
- Demonstrate the issue on a screen sharing session or describe to us how it can be reproduced
- Provide screenshots illustrating the issue
- Recreate, generate and share the application’s log files so the issue can be further diagnosed.
Which MFA providers are supported?
XTAM supports RADIUS for authentication which most MFA providers utilize in their own solutions, therefore many MFA products can be successfully integrated with XTAM. If you have a specific MFA or 2FA provider that you would like to inquire about, please contact us for more information.
Please review this page for MFA Configuration options for user logins.
Can I reset a user's MFA registration?
Yes, if you need to re-register a user with your MFA provider, then please follow the procedure detailed in the Reset MFA Token article.
Duo Security MFA - How to Configure (Admin)
Xton Access Manager (XTAM) supports multi-factor authentication by integrating with Duo. If you already use Duo MFA or would like to start using it with XTAM, please review the following page for configuration steps.
Google Authenticator (TOTP) - How to Configure (Admin)
Xton Access Manager (XTAM) supports multi-factor authentication by integrating with Google Authentication. If you already use Google MFA or would like to start using it with XTAM, please review the following page for configuration steps.
YubiKey MFA - How to Configure (Admin)
Xton Access Manager (XTAM) supports multi-factor authentication by integrating with YubiKey v4 and 5 devices. If you already use YubiKey or would like to start using it with XTAM, please review the following page for configuration steps.
Can set different MFA providers (or none) for individual users or groups?
Yes, if you would like to configure different MFA providers (or no MFA requirements) for individual users or groups, then please read our MFA Configuration article for more information.
Duo Security MFA - How to Login (Users)
The experience for users who must use Duo MFA to login is slightly different than the traditional style of username and password entry that they are probably accustomed to. Although not drastically different, the following procedure must be performed by every user whose account is configured to use Duo MFA in XTAM.
As an XTAM admin, please become comfortable with this initial registration process as user questions may arise. The following page details how an end user will login using Duo MFA the first time to register their device and the process for each subsequent login. Logging in to Xton Access Manager with Duo Multi-Factor Authentication.
Google Authenticator - How to Login (Users)
The experience for users who must use Google MFA to login is slightly different than the traditional style of username and password entry that they are probably accustomed to. Although not drastically different, the following procedure must be performed by every user whose account is configured to use Google MFA in XTAM.
As an XTAM admin, please become comfortable with this initial registration process as user questions may arise. The following page details how an end user will login using Google MFA the first time to register their mobile device and the process for each subsequent login. Logging in to Xton Access Manager with Google Multi-Factor Authentication.
YubiKey - How to Login (Users)
The experience for users who must use YubiKey MFA to login is slightly different than the traditional style of username and password entry that they are probably accustomed to. Although not drastically different, the following procedure must be performed by every user whose account is configured to use YubiKey MFA in XTAM.
As an XTAM admin, please become comfortable with this initial registration process as user questions may arise. The following page details how an end user will login using YubiKey MFA the first time to register their device and the process for each subsequent login. Logging in to Xton Access Manager with YubiKey Multi-Factor Authentication.
What is the Xton Access Manager Browser Extension
The Xton Access Manger Extension is a native browser extension that can be utilized by XTAM users to auto-populate Web login forms using records that are stored within the Xton Access Manager Identity Vault. Once logged into XTAM within the browser extension, it will securely communicate with the Identity Vault to locate any records associated to the currently displayed login form and if found, will give the user the ability to populate the username and password fields with a single click.
Continue reading about the Xton Access Manager Extension here.
How can I use the Extension in my browser?
The Xton Access Manager Extension is designed to be simple to deploy and simply to use. The following How To page will describe the process to deploy the extension to your browser to using it for the first time.
The records that appear in the Extension, where do they come from?
The Extension reads and displays records that are stored in XTAM sever’s 256-bit encrypted Identity Vault. Based on the stored records and its associated permissions, the extension determines when and to whom it will allow access to the record.
To learn more about this, please read the following page.
Can the browser extension display records for users with Viewer only permission?
Within XTAM, a user is required to have at least Unlock permissions on a record to see or reveal its secured field, like a password. By default, the XTAM Browser Extension uses this same requirement; however System Administrators can lower or decrease this requirement to allow users with Viewer permissions to load shared credentials from within the extension. This maintains the security around these fields in XTAM, while extending the functionality of loading login forms to more users.
While our default and recommended setting remains set to Unlock, if your organization fully secures the user browser and endpoints with sufficient enterprise policies, you may now update this requirement to support your use case.
To change the minimum permission level for the XTAM browser extension plugin, please perform the procedure detailed on this page.
My input fields are not auto-populating. How can I resolve this?
The Extension attempts to automatically read and detect input fields of various web configurations, but sometimes it does not always detect fields with alternative configurations. If the Extension is not detecting your user or password field on your web login page, the following FAQ page will detail some steps to resolve this behavior.
Which browsers are supported?
The Xton Access Manager Extension supports the latest version of the following desktop browsers:
- Google Chrome
- Microsoft Edge (coming soon)
- Mozilla Firefox
Does the Extension work in Opera?
The Xton Access Manager Extension is supported as an extension for the Opera browser; however, it is not available within the Opera Extension marketplace.
If you are an Opera user, the following page will detail the process to deploy the Chrome Extension to your Opera browser.
The Xton Access Manager Extension is installed to Opera and ready for use.
Still can’t find what you are looking for? Send us an email and we will be happy to help!